Improper Removal of Sensitive Information Before Storage or Transfer Affecting qemu-project/qemu package, versions [10.0.0-rc0,10.1.0-rc4)

Q: How to fix?

Upgrade qemu-project/qemu to version 10.1.0-rc4 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-UNMANAGED-QEMUPROJECTQEMU-12946157
published21 Sept 2025
disclosed11 Aug 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 11 Aug 2025

CVE-2025-8860 (opens in a new tab) CWE-212 (opens in a new tab)

How to fix?

Upgrade qemu-project/qemu to version 10.1.0-rc4 or higher.

Overview

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the uefi_vars_write function. The UEFI_VARS_REG_PIO_BUFFER_TRANSFER register is not cleared between write callbacks with uefi_vars_write and read callbacks with uefi_vars_read, so a malicious guest can read residual memory from previous invocations.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None